Wireguard network unreachable from HA

[github-k8n]

Problem/Motivation

Multiple devices within the local network should be accessed via wireguard (from home assistant)
Therefore a corresponding configuration with IPs in the 10.84.x.x range (local network does use 192.168.x.x) was created.

I can verify that the wireguard connection is up and running, ICMP echo requests (ping) from the device to the "server" wireguard IP get a reply and logs show that the peer is connected.

However when trying to add an rtsp camera on that IP I get a timeout and the following error:
Error from stream worker: Error opening stream (ERRORTYPE_101, Network unreachable) rtsp://10.84.0.2:1935/cam/1

Expected behavior

Possible to have connectivity between devices and HA via wireguard.

Actual behavior

Error, wireguard network seems to be unreachable from HA

[github-actions]

There hasn't been any activity on this issue recently, so we clean up some of the older and inactive issues.
Please make sure to update to the latest version and check if that solves the issue. Let us know if that works for you by leaving a comment 👍
This issue has now been marked as stale and will be closed if no further activity occurs. Thanks!

[github-k8n]

Not sure if "stale" should be added to issues after a month already :) it is still happening with the current version (which is the same version as when opening the case :)

[pilek]

@github-k8n are you able do a ping from server to peer and from peer to server? I want to use it in the same way but in my case I cannot ping peer from HA

[github-k8n]

@pilek , neither can I. IIRC it only works from client to "server" (which is probably the wireguard addon). The other way from HA itself (SSH) to the client IP it says the network is unreachable.
My guess is that wireguard is running in its own container or something and the connectivity/routing between HA (and potentially other Add-Ons) and Wireguard is not set up correctly.

[pilek]

@github-k8n can you execute traceroute <peer_IP> ?? and show the output ?

[github-k8n]

On client:


peer: XXXXXXXXXXXXXXXXXXXXXXXXXX (pubkey)
  endpoint: 192.168.178.90:51820
  allowed ips: 10.84.0.100/32
  latest handshake: 40 seconds ago
  transfer: 728 B received, 2.08 KiB sent
  persistent keepalive: every 5 seconds
===
wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420
        inet 10.84.0.101  netmask 255.255.255.0  destination 10.84.0.101
===
# ping 10.84.0.100
PING 10.84.0.100 (10.84.0.100) 56(84) bytes of data.
64 bytes from 10.84.0.100: icmp_seq=1 ttl=64 time=3.30 ms
64 bytes from 10.84.0.100: icmp_seq=2 ttl=64 time=6.90 ms
===
# traceroute 10.84.0.100
traceroute to 10.84.0.100 (10.84.0.100), 30 hops max, 60 byte packets
 1  10.84.0.100 (10.84.0.100)  2.952 ms  5.262 ms  3.992 ms

=============
=============
On server:
$ ifconfig 
eth0      Link encap:Ethernet  HWaddr xxxxxxxxx  
          inet addr:172.30.33.0  Bcast:172.30.33.255  Mask:255.255.254.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1131032 errors:0 dropped:0 overruns:0 frame:0
          TX packets:717 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:100414884 (95.7 MiB)  TX bytes:89520 (87.4 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:24 errors:0 dropped:0 overruns:0 frame:0
          TX packets:24 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3812 (3.7 KiB)  TX bytes:3812 (3.7 KiB)


(it just seems to go out to the default route until it hits the public internet where the private IP is no longer routed)
$ traceroute 10.84.0.101
traceroute to 10.84.0.101 (10.84.0.101), 30 hops max, 46 byte packets
 1  XXXXX-esphome.local.hass.io (172.30.32.1)  0.013 ms  0.009 ms  0.004 ms
 2  wpad.fritz.box (192.168.178.1)  0.502 ms  0.490 ms  0.436 ms
 3 XXXXX.t-ipconnect.de (X.X.X.X)  24.214 ms !N  4.528 ms !N  4.655 ms !N

and of course connecting via ssh to home assistant will not land you in the wireguard container? (so no wg command or similar available)


So from what I see/understand is that the wireguard client/server is in its own container and the routing between that and the HA container is not working correctly.

[giuian69]

i cannot reach the esphome sensors which are in the subnet of the wireguard client.
from the client I can ping the server but not vice versa. maybe i'm trying to do something impossible?

[github-actions]

There hasn't been any activity on this issue recently, so we clean up some of the older and inactive issues.
Please make sure to update to the latest version and check if that solves the issue. Let us know if that works for you by leaving a comment 👍
This issue has now been marked as stale and will be closed if no further activity occurs. Thanks!

[CarlosGS]

Hi, I made a command to fix this, you need to add to configuration.yaml

sensor:
  - platform: command_line
    name: Wireguard addon internal IP
    command: host_result=$(host a0d7b954-wireguard); addon_ip=${host_result##* }; ip route replace 172.27.66.0/24 via $addon_ip; echo $addon_ip

It runs in HASS and adds the correct route, feel free to use it. Not sure if this could be achieved from the plugin itself.
I hope it helps, cheers!

[github-actions]

There hasn't been any activity on this issue recently, so we clean up some of the older and inactive issues.
Please make sure to update to the latest version and check if that solves the issue. Let us know if that works for you by leaving a comment 👍
This issue has now been marked as stale and will be closed if no further activity occurs. Thanks!